Protecting communications against forgery D. J. Bernstein - PDF document

Protecting communications against forgery D. J. Bernstein University of Illinois at Chicago

Secret-key authenticators Message m ∈ 10 50 Z , at most 1000000 digits. Sender and receiver know secret prime p , 10 39 < p < 10 40 , and secret k ∈ Z , 0 ≤ k < 10 45 . Sender transmits ( m; a ) where a = (( m mod p ) + k ) mod 10 45 .

Forger replaces ( m; a ) with ( m ′ ; a ′ ). Receiver discards ( m ′ ; a ′ ) unless a ′ = (( m ′ mod p ) + k ) mod 10 45 . If ( p; k ) is uniform: The forger has chance < 10 − 33 of fooling the receiver.

How many pairs ( p; k ) satisfy a = (( m mod p ) + k ) mod 10 45 ? At least 9 · 10 37 . How many also satisfy a ′ = (( m ′ mod p ) + k ) mod 10 45 ? Fewer than 9 · 10 4 if m � = m ′ : for some ‹ ∈ {− 1 ; 0 ; 1 } have p dividing m − m ′ + 10 45 ‹ − a + a ′ .

Handling multiple messages Sender and receiver know secrets p; k 1 ; k 2 ; k 3 ; : : : . Sender transmits n th message m as ( n; m; a ) where a = (( m mod p ) + k n ) mod 10 45 . (Gilbert, MacWilliams, Sloane; Wegman, Carter; Karp, Rabin)

Faster system: Secrets p 0 ; k 1 ; k 2 ; : : : ∈ F where F = Z = (2 127 − 1). Transmit n th message m ∈ xF [ x ] as ( n; m; m ( p 0 ) + k n ). Generating primes in F [ x ] is easier than generating primes in Z .

Unpredictability Random functions f ; u : S → T . Finite T ; uniform u . Example: f = RC6 r , uniform r . f is unpredictable if, for all fast oracle algorithms A , Pr[ A ( f ) says yes] ≈ Pr[ A ( u ) says yes].

Sender and receiver know secret f ; use k n = f ( n ). Safe if f is unpredictable. Want f short : specified concisely. If every short fast f is efficiently predictable then factoring is poly-time. (Blum, Blum, Shub)

Derandomization BPP = P if there is a family of sufficiently unpredictable sufficiently short fast f ’s. (Yao) Some specific families are conjectured to work. ■♥ ♠② t❛❧❦ ■ s❤♦✉❧❞ ❤❛✈❡ st❛rt❡❞ ❜② ❡♠♣❤❛s✐③✐♥❣ t❤❛t ✇❡ ❝❛♥ ❞❡t❡r♠✐♥✐st✐❝❛❧❧② ❝♦♠♣✉t❡ t❤❡ ❡①❛❝t ❛✈❡r❛❣❡ r❡s✉❧t ♦❢ ❛ ♣r♦❜❛❜✐❧✐st✐❝ ❛❧❣♦r✐t❤♠ ✉s✐♥❣ ❛ s❤♦rt r❛♥❞♦♠ ❢✉♥❝t✐♦♥✱ ❜② r✉♥♥✐♥❣ t❤r♦✉❣❤ ❛❧❧ t❤❡ ♣♦ss✐❜✐❧✐t✐❡s ❢♦r t❤❡ ❢✉♥❝t✐♦♥✳ ❚❤✐s ❛✈❡r❛❣❡ ✐s ❛♣♣r♦①✐♠❛t❡❧② t❤❡ ❛✈❡r❛❣❡ r❡s✉❧t ♦❢ t❤❡ ❛❧❣♦r✐t❤♠ ✉s✐♥❣ ❛ ✉♥✐❢♦r♠ r❛♥❞♦♠ ❢✉♥❝t✐♦♥❀ ✇❤✐❝❤✱ ❜② ❞❡☞♥✐t✐♦♥ ♦❢ ❇PP✱ ✐s ❛♣♣r♦①✐♠❛t❡❧② ✶ ♦r ✵ ❞❡♣❡♥❞✐♥❣ ♦♥ ✇❤❡t❤❡r t❤❡ ✐♥♣✉t str✐♥❣ ✐s ✐♥ t❤❡ ❧❛♥❣✉❛❣❡✳ ❚❤❡ r❛♥❞♦♠ ❢✉♥❝t✐♦♥ ❤❛s t♦ ❜❡ ✉♥♣r❡❞✐❝t❛❜❧❡ ❢♦r ❛❧❧ ❛❧❣♦r✐t❤♠s ❛s ❢❛st ❛s t❤❡ ❛❧❣♦r✐t❤♠ ✇❡ st❛rt❡❞ ✇✐t❤✱ ❜✉t st✐❧❧ s❤♦rt ❡♥♦✉❣❤ t❤❛t ✇❡ ❝❛♥ q✉✐❝❦❧② tr② ❛❧❧ t❤❡ ♣♦ss✐❜✐❧✐t✐❡s✳ ■t s❡❡♠s s✉✍❝✐❡♥t ❢♦r t❤❡ ♥✉♠❜❡r ♦❢ ♣♦ss✐❜✐❧✐t✐❡s t♦ ❜❡ r♦✉❣❤❧② t❤❡ ❢♦✉rt❤ ♣♦✇❡r ♦❢ t❤❡ r✉♥ t✐♠❡ ♦❢ t❤❡ ♦r✐❣✐♥❛❧ ❛❧❣♦r✐t❤♠✳

� � � � � The Diffie-Hellman system Receiver’s Secret g bc public key g c Sender’s Receiver’s secret b secret c Sender’s � Secret g bc public key g b

Can find 300-digit prime q such that ‘ = 2 q + 1 is prime. Take g = image of 4 in ( Z =‘ ) ∗ . Or find 50-digit prime q , 300-digit prime ‘ ≡ 1 (mod q ). Take g of order q in ( Z =‘ ) ∗ .

Or find 150-digit prime q such that ‘ = 2 q − 1 is prime. Take g of order q in ( F ‘ 2 ) ∗ . Or find 50-digit primes q; ‘ and point g of order q on an elliptic curve over Z =‘ .

� � � Public-key signatures Message m � Signed Secret b message m; s Public � Verification key n

ElGamal signatures Public functions H; I . Public g of prime order q . Public key n = g b . ( r; u ) is a signature of m if r = g H ( m ) u n I ( r ) u , 0 < u < q . Signer chooses r = g e for uniform random e .

Modify signatures to save space: ( t; u ) is a signature of m if t = I ( g H ( m ) u n tu ), 0 < u < q . Two elements of Z =q instead of one element and one power of g . (Schnorr, Kravitz) ■ s❛✐❞ ❑r♦✈❡t③ ✇❤❡♥ ■ ❣❛✈❡ t❤✐s t❛❧❦✳ ▼② ❛♣♦❧♦❣✐❡s t♦ ❑r♦✈❡t③ ❛♥❞ ❑r❛✈✐t③✳ ▼② ♦♥❧② ❡①❝✉s❡ ✐s t❤❛t ■ ✇❛s ♣r❡♣❛r✐♥❣ t❤r❡❡ t❛❧❦s ✐♥ ♦♥❡ ❢r❛♥t✐❝ ✇❡❡❦✳

Rabin-Williams signatures Secret 150-digit primes p; q with p mod 8 = 3, q mod 8 = 7. Public key n = pq . ( r; f ; s ) is a signature of m if n divides s 2 − f H ( r; m ) and f ∈ {− 2 ; − 1 ; 1 ; 2 } . Signer chooses r randomly.

Modify signatures to save time: ( r; h; f ; s; t ) is a signature of m if f ∈ {− 2 ; − 1 ; 1 ; 2 } , s; t not too large, h = H ( r; m ), and s 2 = f h + tn . Verifier computes s 2 − f h − tn modulo a secret 40-digit prime.

Assume 40-digit r . If forger has generic attack with forgery chance ≥ 10 − 10 using 10 10 valid signatures and 10 10 calls to H then forger can factor n at about the same speed with chance ≥ 10 − 11 .